SAN FRANCISCO — An AI system has identified a critical security vulnerability that had been sitting inside OpenBSD code, undetected, for twenty-seven years — prompting emergency patches, a $100 million commitment from Anthropic to open-source security, and a very uncomfortable Sunday phone call to a retired programmer in suburban Ohio.
The flaw, introduced in 1999 during what three sources independently characterised as “definitely a Friday afternoon,” survived through six US presidential administrations, the dot-com bubble and its collapse, the rise and fall of three social media platforms, two complete reinventions of JavaScript, and what the security community refers to simply as “the PHP years.”
It was found by an AI model in three hours and forty-one minutes.
“I’m deeply sorry,” said Gary Matthiessen, 74, the contractor who introduced the vulnerability while working on a networking stack update. “I’m also, and I want to be careful how I say this, a little bit impressed with myself. It lasted longer than my marriage.”
How It Was Found
According to researchers involved in the project, the AI was given access to large open-source codebases and instructed to identify potential security flaws with no guidance on where to look or what to prioritise. It produced a ranked list of vulnerabilities within hours, with the twenty-seven-year-old OpenBSD flaw sitting at number three.
Numbers one and two were from FFmpeg, introduced in 2010 and 2014 respectively, making them considerably younger. The FFmpeg developers were notified and described their reaction as “relief” that they had only missed it for sixteen years.
“The AI didn’t find one old bug,” said a security researcher briefed on the findings, who requested anonymity because they had not yet told their manager about numbers four through nineteen. “It found thousands. We are working through the list. It is a long list. Please stop calling.”
Industry Response
Anthropic announced it is committing up to $100 million in usage credits and $4 million in cash donations to open-source security groups in response to the findings, describing the moment as “an inflection point for how we think about software reliability.”
Several prominent security researchers said the announcement was “very welcome” and also “possibly not enough, given what’s on the list.”
The OpenBSD Foundation issued a statement thanking the researchers and noting that the vulnerability had been present in versions 2.5 through the current release, a span of software history it described as “broader than we would have liked.” The foundation added that no known exploits of the specific flaw had been detected, which it called “good news,” and which Matthiessen called “vindicating, honestly.”
“If someone had found it back then, I’d have been fired and probably blacklisted,” he said. “Instead I just quietly moved on. I’ve been in property since 2003. It’s been lovely.”
The Human Angle
Security professionals say the episode raises hard questions about what it means that an AI found in an afternoon what a global community of expert reviewers missed for three decades.
“The charitable read,” said Dr. Sofia Brennan, a professor of Computer Security at Carnegie Mellon, “is that humans are good at many things, and detailed static analysis of millions of lines of legacy C code is not among them. The uncharitable read is that we’ve all just been hoping for the best.”
She paused.
“Both reads are true.”
Several developers took to forums to argue that the flaw was subtle, understandable given the tools available in 1999, and that Matthiessen should not be singled out. Others noted that the same AI had found fourteen more bugs in code written by people who had access to thirty years of additional knowledge and significantly better tooling, and that perhaps the conversation should be broader.
Matthiessen, for his part, said he bears no ill will toward the AI.
“I respect it,” he said. “I don’t understand it. I respect it. I’ve been meaning to look at what these things actually do, but my grandson showed me one and it was very fast and I got a bit overwhelmed and had to go lie down.”
He confirmed he has since patched his own home router, “just in case.”
At press time, the AI had moved on to a new repository and was believed to be approximately forty per cent of the way through the Linux kernel.
The researcher responsible for reviewing the findings asked CCNN not to print how many vulnerabilities remain on the list. We have respected this request. It is a large number.